I could rebuild my cluster from backup before the upgrade to CentOS Stream. So I'll be able to work from there.
On Mon, 2021-03-08 at 17:41 +0100, Antoine Gatineau via FreeIPA-users wrote: > Hello, > > I'm on freeipa 4.9.0 on CentOS Stream. (1 master and 1 replica) > I have noticed that my replication is broken. Unfortunatly, I don't know > since when... > > First Question, can it b fixed? > Second question, is it possible to peform a restore (on one node, both nodes) > to fix the issue. > I recently upgraded from CentOS 8 to CentOS Stream (ipa with it). So can I > restore from a previous version? > > > Here are some snipets of what I see. > $ sudo ipa-healthcheck > Internal server error HTTPSConnectionPool(host='ipa-master-tmp.empire.lan', > port=443): Max retries exceeded with url: > /ca/rest/certs/search?size=3 (Caused by > NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at > 0x7fa49f3df320>: Failed > to > establish a new connection: [Errno -2] Name or service not known',)) > [ > { > "source": "pki.server.healthcheck.clones.connectivity_and_data", > "check": "ClonesConnectivyAndDataCheck", > "result": "ERROR", > "uuid": "66815b82-56d9-43a4-9035-78333c5cb5cd", > "when": "20210308162643Z", > "duration": "0.364202", > "kw": { > "status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: > ipa-master-tmp.empire.lan Port: 443" > } > }, > { > "source": "ipahealthcheck.ds.replication", > "check": "ReplicationCheck", > "result": "WARNING", > "uuid": "55addd45-6440-4317-8d0b-8eb0d516bd4e", > "when": "20210308162645Z", > "duration": "0.353734", > "kw": { > "key": "DSREPLLE0002", > "items": [ > "Replication", > "Conflict Entries" > ], > "msg": "There were 6 conflict entries found under the replication > suffix \"dc=empire,dc=lan\"." > } > } > ] > > pki-tomcatd seems ok : > $ sudo journalctl -u pki-tomcatd@pki-tomcat > -- Logs begin at Mon 2021-03-08 17:24:39 CET, end at Mon 2021-03-08 17:35:01 > CET. -- > Mar 08 17:25:01 ipa-master.empire.lan systemd[1]: Starting PKI Tomcat Server > pki-tomcat... > Mar 08 17:25:04 ipa-master.empire.lan java[1613]: usr/lib/api/apiutil.c Could > not open /run/lock/opencryptoki/LCK..APIlock > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: Java virtual machine > used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: classpath used: > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat- > juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-la> > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: main class used: > org.apache.catalina.startup.Bootstrap > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: flags used: > -Dcom.redhat.fips=false > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: options used: > -Dcatalina.base=/var/lib/pki/pki-tomcat - > Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/> > Mar 08 17:25:05 ipa-master.empire.lan server[1716]: arguments used: start > Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: pki.client: > /usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in > PKIConnection.__init__() has been deprecated (https> > Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: > ipa-pki-wait-running: Created connection > http://ipa-master.empire.lan:8080/ca > Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: > ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa- > master.empire.lan', port=8080): Max retries exceeded> > Mar 08 17:25:06 ipa-master.empire.lan java[1716]: usr/lib/api/apiutil.c Could > not open /run/lock/opencryptoki/LCK..APIlock > Mar 08 17:25:06 ipa-master.empire.lan server[1716]: WARNING: Some of the > specified [protocols] are not supported by the SSL engine and > have > been skipped: [[TLSv1, TLSv1.1]] > Mar 08 17:25:07 ipa-master.empire.lan ipa-pki-wait-running[1717]: > ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa- > master.empire.lan', port=8080): Read timed out. (rea> > Mar 08 17:25:09 ipa-master.empire.lan ipa-pki-wait-running[1717]: > ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa- > master.empire.lan', port=8080): Read timed out. (rea> > Mar 08 17:25:11 ipa-master.empire.lan ipa-pki-wait-running[1717]: > ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa- > master.empire.lan', port=8080): Read timed out. (rea> > Mar 08 17:25:12 ipa-master.empire.lan ipa-pki-wait-running[1717]: > ipa-pki-wait-running: Success, subsystem ca is running! > Mar 08 17:25:12 ipa-master.empire.lan systemd[1]: Started PKI Tomcat Server > pki-tomcat. > > Best > Antoine > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure